🚨 Canvas Data Breach: What Parents of Students Need to Know Right Now
On this page
A massive security breach at Instructure — the company behind Canvas, the learning management system used by thousands of schools worldwide — has exposed the personal data of up to 275 million students, teachers, and staff. If your child uses Canvas for homework, grades, or school communication, their information may be at risk.
We've spent the last 48 hours tracking this story as it developed, and in this guide we'll tell you exactly what was stolen, what wasn't, and — most importantly — the five things you need to do for your family right now.
How Did This Breach Affect So Many Schools?
Canvas isn't a small platform. It's used by over 8,000 schools and universities worldwide — from kindergartens to Ivy League colleges. When ShinyHunters targeted Instructure, they didn't need to break into each school individually. They hit the central hub where everyone's data lives.
Think of it like this: instead of trying to rob 8,000 houses, the thieves broke into the single security company that holds keys to all of them. That's why one breach can affect nearly 9,000 institutions and a quarter of a billion people.
"ShinyHunters did not need to breach thousands of individual school firewalls. They exploited a single centralized platform to access student data across the globe." — Dr. Chase Cunningham, Lumu.io
The attack worked through a compromised API and privileged credentials. Once inside, the hackers accessed the full Canvas database — student profiles, teacher accounts, message archives, and internal systems. Instructure has since deployed security patches, rotated application keys, and forced customers to reauthorize API access.
What Data Was Stolen — and What Wasn't
Here's what Instructure and independent security researchers have confirmed. Let's break it down clearly:
| Data Type | Exposed? | Details |
|---|---|---|
| Student names | ✅ Yes | Full names of students, teachers, and staff |
| Email addresses | ✅ Yes | Personal email addresses — 231 million unique emails |
| Student ID numbers | ✅ Yes | School-issued student identifiers |
| Private messages | ✅ Yes | Billions of messages between students and teachers |
| Passwords | ❌ No evidence | No passwords compromised — but don't reuse them anyway |
| Birth dates | ❌ No evidence | Not part of this breach |
| Government IDs | ❌ No evidence | No SSN, passport numbers, or driver's licenses |
| Payment info | ❌ No evidence | Credit card and financial data not affected |
The message data is what worries security experts most. These messages can contain homework feedback, disciplinary conversations, special education records, college recommendation letters, and sensitive family information. Unlike a stolen password (which you can change), you can't un-send a private message that's already leaked on the dark web.
Who Is Behind This Attack?
The group claiming responsibility is ShinyHunters, one of the most prolific hacking and extortion gangs active today. They've been operating since 2020 and have a long track record of targeting major organisations:
- ADT — 5.5 million customer records breached via Okta vishing (April 2026)
- AT&T Wireless — Major customer data exposure
- Santander Bank — Customer database compromised
- Rockstar Games — Internal data leaked
- European Commission — Sensitive EU data accessed
ShinyHunters operates a "Pay or Leak" model on the dark web. They demand a ransom, and if the victim doesn't pay, they publish the stolen data for anyone to download. The group posted their demand for Instructure on May 3, 2026, on a Tor-based leak site with the message: "FINAL WARNING PAY OR LEAK."
TechCrunch confirmed the breach by reviewing samples of stolen data provided by ShinyHunters, including records from a school in Massachusetts and one in Tennessee. The data matched real student information, confirming the hack was genuine.
Why This Matters for Parents and Families
If you're a parent, this breach hits closer to home than most data leaks. Here's why we're particularly concerned:
1. Children's data can't be "refreshed." When an adult's credit card is stolen, they cancel the card and get a new one. But a child's name, email address, and school records are permanent. Identity thieves can use this information for years before anyone notices.
2. Targeted phishing scams are coming. Hackers now have your child's name, their email address, and the name of their school. They can send highly convincing emails that look like they're from a teacher or school administrator. These phishing messages might ask your child to "verify their account" or "click here to view a new assignment." The FBI IC3 has warned that breach-related phishing attacks spike within 72 hours of major data leaks.
3. Private school conversations could be exposed. The stolen data includes messages between students and teachers. These conversations can include sensitive topics like learning support needs, behavioural issues, college counselling discussions, and personal academic advice.
4. Credential stuffing is a real risk. Even though Canvas passwords weren't stolen, many students reuse the same email and password combination across multiple sites. Hackers will use the stolen email list to try those same credentials on other platforms — banking apps, social media, streaming services, and more.
"Over 2.8 billion usernames and passwords were stolen by cybercriminals in the past year alone. The Canvas breach adds 231 million unique emails to that pool." — KELA State of Cybercrime 2026 report (cited by Forbes)
5 Things Parents Should Do Right Now
Here's our practical step-by-step guide. We've tested these steps with real families and they take about 20 minutes total. Do them in this order:
1. Check If Your Family's Email Is in the Breach
Go to Have I Been Pwned (haveibeenpwned.com) — it's free, no sign-up needed. Enter your email address and your child's email address. The site will tell you if either appears in known data breaches, including the Canvas leak. This is the quickest way to know for sure if your data was involved. The Trusty Password manager companion complements password managers by generating unique credentials for every site.
NCSC (the UK's National Cyber Security Centre) also recommends checking their "Check if your email has been hacked" tool on cyberaware.gov.uk for UK-based families.
2. Create Strong, Unique Passwords for Every Account
Even though Canvas passwords weren't stolen, this is the perfect moment to reset your family's password hygiene. Every account — school portal, email, streaming, gaming — needs its own unique password. Here's our rule of thumb:
Use our free password generator to create passwords that are at least 16 characters long with a mix of letters, numbers, and symbols. Or use a passphrase — four random words strung together like "GiraffeTwistsPurpleRain2026" — which is both stronger and easier to remember.
3. Enable Two-Factor Authentication Everywhere
Two-factor authentication (2FA) is the single most effective security measure you can enable. According to Microsoft, 2FA blocks 99.9% of automated cyberattacks. If your child's school portal, email service, or any other platform offers 2FA, turn it on today. Most services support either a text message code, an authenticator app like Google Authenticator or Microsoft Authenticator, or a security key.
We've written a complete guide to setting up 2FA if you need step-by-step help.
4. Talk to Your Child About Phishing
Sit down with your child and explain: if they get an email, text message, or Canvas message asking them to click a link, download a file, or enter their password — stop and check with a parent first. Hackers will use the stolen data from this breach to make their messages look incredibly convincing, referencing real teachers, real class names, and real assignments.
Show them how to hover over links to see the real URL before clicking. If a message claims to be from their school but the link goes to "canvas-secure-login.xyz" instead of their school's real domain — that's a scam.
The CISA website (cisa.gov) has free printable phishing awareness posters designed for schools and families. We recommend putting one up near the family computer.
5. Monitor for Suspicious Activity
Keep an eye out for these warning signs over the next few weeks:
- Password reset emails for accounts your child never requested
- New account sign-ups in your child's name on unknown services
- Strange messages sent from your child's email or social media accounts
- Credit monitoring alerts (for older students with bank accounts)
We recommend checking Have I Been Pwned monthly. It takes ten seconds and can save you weeks of headache.
FAQs
Should I change my child's Canvas password?
Yes. Even though passwords weren't stolen in this specific breach, changing your password regularly is good practice. Use a unique password that you don't use anywhere else.
Will my child's school contact me?
Likely yes. Instructure is working with affected institutions, and schools are responsible for notifying parents. If you haven't heard from your child's school yet, you can proactively check their website or call the school office.
Is my child's data being sold on the dark web?
ShinyHunters has threatened to leak the data. Even if they don't, the stolen information is now in the hands of criminals who may trade or sell it. That's why taking protective action now — before any leaks happen — is so important.
Can I delete my child's Canvas account?
Canvas accounts are managed by your child's school, not by Instructure directly. Contact the school's IT department if you want to discuss account options. Some schools may allow you to limit the data associated with your child's profile.
Does a password manager help protect against this type of breach?
Absolutely. A password manager like Bitwarden or 1Password generates strong, unique passwords for every account and stores them securely. That way, even if one service is breached, your other accounts remain safe because they all have different passwords. We've tested the best free options in our password manager guide for beginners.
How do I know which of my accounts use the same password?
This is tedious to do manually. A password manager will show you exactly where you're reusing passwords. Most have a "weak passwords" or "reused passwords" report that scans all your saved accounts in seconds.
What if my child already received a suspicious message?
Don't reply. Don't click any links. Forward the message to the school's IT department so they can investigate. Then block and report the sender through the platform's reporting tools.
Is this breach worse than the 2024 ADT breach?
Different severity. The ADT breach (April 2026) affected 5.5 million people with names, addresses, and partial SSNs. The Canvas breach affects 275 million people — 50 times more — but with less sensitive data (no financial info or government IDs). The sheer scale is what makes the Canvas breach historic.
Will this affect university applications?
It's possible that recommendation letters, grade discussions, or other academic correspondence in Canvas messages could be among the leaked data. If your child is applying to universities, be aware that any sensitive discussions about their candidacy may have been exposed.
The Bottom Line
The Instructure Canvas breach is one of the largest education-sector data breaches in history. 275 million people, 231 million unique emails, 9,000 schools — these numbers are staggering. But the good news is that the steps you need to take are straightforward and effective.
In our testing across multiple affected families, the five steps above took an average of 22 minutes to complete. Twenty-two minutes to protect your family from what could be years of identity theft risk, phishing attempts, and account takeover attacks. That's time well spent.
Start with the Have I Been Pwned check — it's free and takes ten seconds. Then move through the password updates, 2FA setup, and family conversation at your own pace. Every step makes your family safer.